As we gear up for the Payments show (#payments2011) next week in Austin (stop by and visit us at Booth 806 if you are going) NACHA released a phishing scam alert about people receiving emails appearing to come from NACHA wanting more details of ACH transactions.
George Tubin, a fraud analyst at TowerGroup, says he’s surprised that any fraudster would use NACHA as a guise for a socially engineered attack, since most consumers don’t know the organization. “But this has been going on for a while,” he adds. NACHA first reported suspicious e-mail activity connected with its name in July.
He’s right. Average consumers probably don’t know what NACHA is, nor should they. But if the scam has been going on since July then clearly it doesn’t matter; it’s working for the fraudsters.
Just today I read a column by Kari English in BankNews discussing M-Banking Threats and a variation of phishing called smishing (defined as using a text message instead of an email asking the consumer to call a bogus IVR which is soliciting you to enter an account number and password). The great point she made, which really applies to all banking not just mobile banking, is
“It does not matter how much security the bank provides if the owner of the phone is not educated on the possible threats”
Yep, I couldn’t agree more.
I think there are two reasons why phishing scams still work. First is that consumers are inundated with push marketing messages of “you should do this or that” that it all starts to sound the same and we ignore them; and second, businesses are somewhat complacent with on-going communication about security threats like phishing because they are “so last year” so to speak. And it is. Phishing is an old trick, especially to people dealing with risk and security issues every day. But it’s the average consumer we all need to remember and phishing tactics, especially as they morph into smishing or what have you, are not so blatant for consumers to spot.
Consumers may not know NACHA, but it’s understandable how someone might fall for this trick. Wouldn’t you freak out a little bit if you thought your automatic payroll deposit wasn’t going in or your mortgage payment wasn’t going to be processed? Most banks are periodically reminding people they don’t solicit account numbers and PINs by email or phone, but is it enough? If I’d received a message about any ACH transactions and thought it was legitimate, my suspicious mind would have me either picking up the phone and calling my bank (not the number in the email) or logging into my account online.
As a quick research project I decided to look at the general websites and online accounts for 2 banks that I use, one is a very big bank and the other is small community bank, to see what anti-phishing resources they provide. I’m disappointed by what I found.
What’s for certain is fraud scams are not going away. Perhaps it’s time for security professionals to stop relying on just media awareness and step up fraud prevention education in the place it is most relevant – the online banking systems.